Add trusted publishing (OIDC) (#1135)

maresb · web-flow · commit d4a2b2bf0373 · 2025-01-16T10:13:40.000+01:00
* Add trusted publishing * Don't persist credentials in pypi.yml Ref: <https://woodruffw.github.io/zizmor/audits/#artipacked> * Don't attempt to publish from forks * Include more comments
diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
@@ -21,6 +21,10 @@ jobs:
   make_sdist:
     name: Make SDist
     runs-on: ubuntu-latest
+    permissions:
+      # write id-token and attestations are required to attest build provenance
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -31,6 +35,11 @@ jobs:
       - name: Build SDist
         run: pipx run build --sdist
 
+      - name: Attest GitHub build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: dist/*.tar.gz
+
       - uses: actions/upload-artifact@v4
         with:
           name: sdist
@@ -52,6 +61,10 @@ jobs:
   build_wheels:
     name: Build wheels for ${{ matrix.platform }}
     runs-on: ${{ matrix.platform }}
+    permissions:
+      # write id-token and attestations are required to attest build provenance
+      id-token: write
+      attestations: write
     strategy:
       matrix:
         platform:
@@ -67,6 +80,11 @@ jobs:
       - name: Build wheels
         uses: pypa/cibuildwheel@v2.22.0
 
+      - name: Attest GitHub build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: ./wheelhouse/*.whl
+
       - uses: actions/upload-artifact@v4
         with:
           name: wheels-${{ matrix.platform }}
@@ -75,6 +93,10 @@ jobs:
   build_universal_wheel:
     name: Build universal wheel for Pyodide
     runs-on: ubuntu-latest
+    permissions:
+      # write id-token and attestations are required to attest build provenance
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -93,6 +115,11 @@ jobs:
         run: |
           PYODIDE=1 python setup.py bdist_wheel --universal
 
+      - name: Attest GitHub build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: dist/*.whl
+
       - uses: actions/upload-artifact@v4
         with:
           name: universal_wheel
@@ -129,9 +156,16 @@ jobs:
 
   upload_pypi:
     name: Upload to PyPI on release
+    # Use the `release` GitHub environment to protect the Trusted Publishing (OIDC)
+    # workflow by requiring signoff from a maintainer.
+    environment: release
+    permissions:
+      # write id-token is required for trusted publishing (OIDC)
+      id-token: write
     needs: [check_dist]
     runs-on: ubuntu-latest
-    if: github.event_name == 'release' && github.event.action == 'published'
+    # Don't publish from forks
+    if: github.repository_owner == 'pymc-devs' && github.event_name == 'release' && github.event.action == 'published'
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -150,6 +184,4 @@ jobs:
           path: dist
 
       - uses: pypa/gh-action-pypi-publish@v1.12.2
-        with:
-          user: __token__
-          password: ${{ secrets.pypi_password }}
+        # Implicitly attests that the packages were uploaded in the context of this workflow.
